Brakeman 7.1.2 Released

Dependency Updates

Chedli Bourguiba updated RubyParser to 3.22 which removes a Ruby version cap so it can be used with Ruby 4.0.

(changes)

Minitest (dev-only dependency) updated to 6.0. Since Minitest dropped support for Ruby 3.1, this is a good time for Brakeman to do so, too. Minimum Ruby version to run Brakeman is now 3.2.0, although note Brakeman supports parsing of much older versions of Ruby. The version of Ruby used to run Brakeman does not need to match the version used to run the Rails application being scanned.

(changes)

SQL Injection False Positives

Fixes in the previous release caused a high number of false positives related to count calls that were not actually ActiveRecord methods.

This release should address most of these false positives unless the application is using an ancient version of Rails.

(changes)

More Haml Fixes

More methods used by Haml::AttributeBuilder are ignored, as long as the first argument is true (which indicates the output will be HTML-escaped).

(changes)

Reporting Issues

Additional thanks to James Thompson and Sam Partington for fixing the list of supoprted report types!

As a reminder, supoprted formats are:

• text - Default
• html
• json
• junit - Specifically compatible with CircleCI
• markdown
• csv
• github
• sarif
• sonar
• tabs - Deprecated, avoid
• codeclimate - Deprecated

Thank you to everyone who reported bugs and contributed to this release!

Please report any issues with this release. Take a look at this guide to reporting Brakeman problems.

Hang out on Github for questions and discussion.